PowerShell-Driven Multi-Stage Windows Malware Using Text Payloads
Researchers have uncovered the SHADOW#REACTOR campaign, a multi‑stage Windows malware chain that starts with an obfuscated VBS script and escalates through a PowerShell stager, text‑only payloads, and a .NET Reactor‑protected loader. The loader reflectively injects a Remcos RAT payload entirely in memory, using MSBuild as a trusted LOLBin to execute the final stage. Each component is modular, allowing attackers to update individual stages remotely and maintain a low static footprint. The technique targets both enterprise and SMB environments via socially engineered delivery.
HoneyTrap: Outsmarting Jailbreak Attacks on Large Language Models
Researchers from Shanghai Jiao Tong University, UIUC and Zhejiang University introduced HoneyTrap, a deceptive‑defense framework that counters multi‑turn jailbreak attacks on large language models. The system employs four specialized defensive agents to mislead attackers, prolong interactions, and drain computational resources...
Android Banking Malware deVixor Actively Targeting Users with Ransomware Capabilities.
Android banking trojan deVixor, active since October 2025, is distributing through counterfeit automotive‑sale websites targeting Iranian users. The malware harvests SMS OTPs, banking credentials, and cryptocurrency exchange data, and can remotely lock devices with a ransomware command demanding 50 TRX. Its...
Threat Actors Exploit RMM Tools Through Weaponized PDF Files
Threat actors are leveraging weaponized PDF attachments to install legitimate Remote Monitoring and Management (RMM) tools such as Syncro, SuperOps, NinjaOne, and ScreenConnect. The campaign, uncovered by ASEC, began with deceptive PDFs that display error messages or images, prompting users...
%20(1)%20(1).webp?ssl=1)
SAP January 2026 Security Patch Day Fixes Critical Injection and RCE Flaws
On January 13, 2026 SAP issued its monthly Security Patch Day, releasing 17 security notes that address 15 vulnerabilities across its product portfolio. Four critical‑severity flaws—CVE‑2026‑0501 (SQL injection in S/4HANA General Ledger), CVE‑2026‑0500 (remote code execution in Wily Introscope), and...
DPRK Hackers Earn $600M Posing as Remote Workers
North Korean state‑sponsored hackers are masquerading as remote IT workers, generating up to $600 million annually for the regime. They infiltrate Western firms by securing legitimate remote positions or creating fake front‑company job postings, then use living‑off‑the‑land techniques to embed persistent...
Top 5 Best Free VPN for 2026 to Protect Your Anonymity on the Internet
The article lists the top five free VPN services projected for 2026, emphasizing their ability to safeguard anonymity during activities like torrenting. It highlights common pitfalls of free VPNs, such as data leaks, bandwidth limits, and ad injection. Each recommended...
Top 5 Best Cyber Attack Prevention Methods for Small Businesses With Breach & Attack Simulation
Hackers now target small businesses, accounting for 43% of attacks, making cyber‑attack prevention a critical priority. Affordable cloud‑based antimalware and firewall services, along with Breach and Attack Simulation (BAS) platforms like Cymulate, give SMBs enterprise‑level protection. The article outlines five...
Malicious Chrome Extension Steals Wallet Credentials, Enables Automated Trading Abuse
Socket’s Threat Research Team uncovered a malicious Chrome extension, MEXC API Automator, that silently creates MEXC exchange API keys with withdrawal permissions. The extension exfiltrates the keys to a hard‑coded Telegram bot, enabling attackers to programmatically trade and drain wallets....
Web3 Dev Environments Hit by Fake Interview Software Scam
Web3 developers are being targeted by a new inbound scam where attackers pose as legitimate hiring firms on sites like youbuidl.dev. They lure candidates with senior‑level job postings and then require the download of a fake interview or coding‑test application....
India Remains Top Target for Mobile Attacks as Threats Surge 38%
India has become the world’s leading target for mobile cyber‑attacks, recording a 38% year‑over‑year surge and now representing 26% of global mobile malware traffic. Zscaler’s ThreatLabz report identified 239 malicious Android apps downloaded 42 million times, with retail and hospitality sectors...
PoC Released for Atarim Plugin Auth Bypass Vulnerability
A proof‑of‑concept for CVE‑2025‑60188 reveals a critical authentication bypass in the Atarim WordPress plugin. The flaw stems from using the publicly exposed site_id as the HMAC‑SHA256 secret, allowing attackers to forge valid admin requests. Exploit code published by researcher m4sh‑wacker...
Massive Instagram Data Breach Exposes Personal Details of 17.5 Million Users
A dark‑web marketplace is selling personal data from 17.5 million Instagram accounts, marking one of the largest social‑media breaches to date. Malwarebytes first reported the leak on X, confirming that usernames, email addresses, phone numbers and partial location data are being...
Cybercriminals Exploit Maduro Arrest News to Spread Backdoor Malware
Cybercriminals are exploiting news of Venezuelan President Nicolás Maduro’s alleged arrest to distribute a backdoor malware via spear‑phishing ZIP attachments. The ZIP contains a weaponized KuGou executable that loads a malicious DLL through DLL search‑order hijacking, creates a hidden Technology360NB...
Fog Ransomware Targets U.S. Organizations via Compromised VPN Credentials
Arctic Wolf Labs identified a new ransomware variant called Fog targeting U.S. organizations, primarily in education (80%) and recreation (20%) sectors. The attackers gained entry through compromised VPN credentials from two vendors and quickly escalated privileges using pass‑the‑hash, PsExec, and credential‑stuffing...
XRAT Malware Targets Windows Users via Fake Adult Game
AhnLab Security Intelligence Center uncovered a campaign that disguises the open‑source xRAT (QuasarRAT) remote‑access trojan as a fake adult game on Korean web‑hard services. The ZIP archive contains a Game.exe launcher that first runs a legitimate game stub, then copies...
50 Best Free Cyber Threat Intelligence Tools – 2026
The article curates a list of the 50 best free cyber‑threat‑intelligence (CTI) tools available in 2026, spanning data‑feeds, analysis platforms, automation frameworks, and IOC‑parsers. It highlights open‑source projects such as MISP, OpenCTI, and IntelMQ, as well as real‑time feeds like...
The Role of Initial Access Markets in Ransomware Campaigns Targeting Australia and New Zealand
The 2025 Threat Landscape Report shows a sharp rise in initial‑access sales targeting Australia and New Zealand, with 92 documented compromised‑access listings. Retail accounts for roughly one‑third of incidents, while BFSI and professional services together make up over half. The market...
New DocuSign-Themed Phishing Scam Delivers Stealth Malware to Windows Devices
Researchers have uncovered a sophisticated phishing campaign that impersonates DocuSign to deliver the Vidar information‑stealing malware to Windows computers. The attack uses a look‑alike domain and a fake installer signed with a legitimate Chinese code‑signing certificate to bypass reputation filters....
React2Shell Vulnerability Hit by 8.1 Million Attack Attempts
The React Server Components “Flight” protocol remote code execution flaw (CVE‑2025‑55182), known as React2Shell, has become the focus of a massive exploitation campaign. GreyNoise has logged over 8.1 million attack sessions, with daily volumes stabilizing at 300‑400 k after a December peak...
Report: China Breached Email Systems Used by U.S. Congressional Staff
According to a Financial Times investigation, Chinese state‑linked hackers breached email systems used by staff of several influential House committees. The intrusion gave the actors access to legislative drafts, policy discussions and potentially classified briefings. U.S. officials highlighted the vulnerability...
How Attackers Hide Processes by Abusing Kernel Patch Protection
Researchers disclosed a new Windows rootkit technique that hides malicious processes by using the legitimate PsSetCreateProcessNotifyRoutineEx API to repair ActiveProcessLinks just before the kernel’s PspProcessDelete validation runs. This timing‑based bypass evades both PatchGuard and Hypervisor‑Protected Code Integrity, allowing processes to...
GitLab Patches Multiple Flaws Allowing Arbitrary Code Execution
GitLab has issued emergency patches—versions 18.7.1, 18.6.3 and 18.5.5—to close seven newly disclosed vulnerabilities affecting self‑managed instances. The flaws include two high‑severity stored and reflected cross‑site scripting bugs, missing authorization checks in AI GraphQL endpoints, and a runner‑removal issue that...
BlueDelta Hackers Target Microsoft OWA, Google, and Sophos VPN to Steal Credentials
Recorded Future’s Insikt Group uncovered a credential‑harvesting campaign by the Russian‑state backed BlueDelta group throughout 2025. The actors deployed phishing emails with legitimate‑looking PDFs to lure victims into fake Microsoft Outlook Web Access, Google, and Sophos VPN login portals, using...
Linux Battery Utility Vulnerability Allows Authentication Bypass and System Tampering
A vulnerability in the TLP power‑profiles daemon (version 1.9.0) lets local users bypass Polkit authentication and tamper with system power settings. The flaw stems from using Polkit’s deprecated “unix‑process” subject, creating a PID race condition that grants elevated control without admin...
OwnCloud Warns Users to Enable MFA After Credential Theft Incident
ownCloud issued an urgent advisory urging users to enable Multi‑Factor Authentication after a credential‑theft incident reported by Hudson Rock. Threat actors stole passwords via infostealer malware such as RedLine, Lumma and Vidar and accessed accounts lacking MFA. The breach did not...
Global GoBruteforcer Botnet Campaign Threatens 50,000 Linux Servers
The GoBruteforcer botnet is actively compromising more than 50,000 internet‑facing Linux servers by brute‑forcing credentials for FTP, MySQL, PostgreSQL and phpMyAdmin services. Researchers note that AI‑generated deployment examples and legacy stacks like XAMPP have proliferated weak default passwords, expanding the...
Cybercriminals Exploit VMware ESXi Vulnerabilities Using Zero-Day Toolset
Huntress researchers uncovered a sophisticated campaign that leverages a zero‑day toolkit, MAESTRO, to exploit three critical VMware ESXi vulnerabilities disclosed in VMSA‑2025‑0004. The attack chain begins with stolen Domain Admin credentials used to compromise a SonicWall VPN, followed by lateral...
Hackers Using Malicious QR Codes for Phishing via HTML Table
Hackers have begun delivering phishing QR codes without images, rendering them as dense HTML tables of colored cells. This “imageless” approach evades traditional image‑analysis scanners that look for bitmap QR patterns. Recipients who scan the codes are directed to credential‑harvesting...
